SSL Prof. Ravi Sandhu
SSL
Prof. Ravi Sandhu
2© Ravi Sandhu
CONTEXT
� Mid to late 90’s
� SSL 1.0 never released
� SSL 2.0 flawed
� SSL 3.0 complete redesign
� TLS from Netscape to IETF
� Competitors
� SET backed by credit card companies
� S-HTTP (as opposed to https)
� IPSEC backed by IETF committees
� SSH for secure remote access to Unix hosts
3© Ravi Sandhu
CRYPTOGRAPHIC SERVICES
� Confidentiality
� Encryption leaks profusely via side channels
� Authentication + Integrity
� No point having one without the other
� Non-repudiation
� Requires asymmetric cryptography
4© Ravi Sandhu
SYMMETRIC KEY
ENCRYPTION
EncryptionAlgorithm E
DecryptionAlgorithm D
Plain-text
Plain-text
Ciphertext
INSECURE CHANNEL
K KSymmetric Keyshared byA and B
CONFIDENTIAL AND AUTHENTICATED CHANNEL
AA BB
5© Ravi Sandhu
SYMMETRIC KEY
AUTHENTICATION
MACAlgorithm M
VerificationAlgorithm V
Plain-text
Yes/NoPlaintext + MAC
INSECURE CHANNEL
K
AA BB
K
MAC: Message Authentication Code
CONFIDENTIAL AND AUTHENTICATED CHANNEL
6© Ravi Sandhu
ASYMMETRIC KEY
ENCRYPTION
EncryptionAlgorithm E
DecryptionAlgorithm D
Plain-text
Plain-text
Ciphertext
INSECURE CHANNEL
B's Public Key B's Private Key
AUTHENTICATED CHANNEL
AA BB
7© Ravi Sandhu
ASYMMETRIC KEY DIGITAL
SIGNATURES
SignatureAlgorithm S
VerificationAlgorithm V
Plain-text
Yes/NoPlaintext + Signature
INSECURE CHANNEL
A's Private Key A's Public Key
AUTHENTICATED CHANNEL
AA BB
8© Ravi Sandhu
SPEED OF ASYMMETRIC KEY
VERSUS SYMMETRIC KEY
� Asymmetric key runs 2-3 orders of magnitude slower than symmetric key
� This large difference in speed is likely to remain independent of technology advances
9© Ravi Sandhu
MESSAGE DIGEST
message digest algorithm
original messageno practical limit to size
message digest160 biteasy hard
sign the message digest
not the message
10© Ravi Sandhu
CHALLENGE RESPONSE
AUTHENTICATION
HOSTWORK
STATION
NETWORK
User ID
Challenge
Response
11© Ravi Sandhu
PUBLIC-KEY CERTIFICATES
� authenticated distribution of public-
keys
� public-key encryption
� sender needs public key of receiver
� public-key digital signatures
� receiver needs public key of sender
� public-key key agreement
� either one or both need the other’s public key
12© Ravi Sandhu
X.509v1 CERTIFICATE
authenticated distribution of public-keys
VERSION
SERIAL NUMBER
SIGNATURE ALGORITHM
ISSUER
VALIDITY
SUBJECT
SUBJECT PUBLIC KEY INFO
SIGNATURE
13© Ravi Sandhu
X.509v1 CERTIFICATE
1
1234567891011121314
RSA+MD5, 512
C=US, S=VA, O=GMU, OU=ISE
9/9/99-1/1/1
C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu
RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx
SIGNATURE
14© Ravi Sandhu
CRL FORMAT
SIGNATURE ALGORITHM
ISSUER
LAST UPDATE
NEXT UPDATE
REVOKED CERTIFICATES
SIGNATURE
SERIAL NUMBER
REVOCATION DATE
15© Ravi Sandhu
X.509 CERTIFICATES
� X.509v1� very basic
� X.509v2� adds unique identifiers to prevent
against reuse of X.500 names
� X.509v3� adds many extensions
� can be further extended
16© Ravi Sandhu
CERTIFICATE TRUST
� how to acquire public key of the
issuer to verify signature
� whether or not to trust certificates
signed by the issuer for this subject
17© Ravi Sandhu
SINGLE ROOT CA MODEL
Root
CA
a b c d e f g h i j k l m n o p
Root
CAUser
18© Ravi Sandhu
SINGLE ROOT CA
MULTIPLE RA’s MODEL
Root
CA
a b c d e f g h i j k l m n o p
Root
CA
User RA
User RA
User RA
19© Ravi Sandhu
MULTIPLE ROOT CA’s
MODEL
Root
CA
a b c d e f g h i j k l m n o p
Root
CAUser
Root
CA
Root
CA
Root
CAUser
Root
CAUser
20© Ravi Sandhu
MULTIPLE ROOT CA’s PLUS
INTERMEDIATE CA’s MODEL
X
Q
A
R
S T
C E G I K M O
a b c d e f g h i j k l m n o p
ESTABLISHED BROWSER MODEL
21© Ravi Sandhu
SECURE ELECTRONIC TRANSACTIONS
(SET) CA HIERARCHY
Root
Brand BrandBrand
Geo-Political
Bank Acquirer
Customer Merchant
22© Ravi Sandhu
THE CERTIFICATE
TRIANGLE
user
attribute public-key
X.509
identity
certificate
X.509
attribute
certificate
SPKI
certificate
23© Ravi Sandhu
SSL SERVICES
� peer entity authentication
� data confidentiality
� data authentication and integrity
� compression/decompression
� generation/distribution of session keys
� integrated into protocol
� security parameter negotiation
24© Ravi Sandhu
SSL ARCHITECTURE
SSL Record Protocol
TCP
IP
SSLHandshake
Protocol
SSL ChangeCipher Spec
Protocol
SSLAlert
ProtocolHTTP
OtherApplicationProtocols
25© Ravi Sandhu
APPLICATION PORTS
� https 443
� ssmtp 465
� snntp 563
� sldap 636
� spop3 995
� ftp-data 889
� ftps 990
� imaps 991
� telnets 992
� ircs 993
26© Ravi Sandhu
SSL ARCHITECTURE
� Handshake protocol: complicated� embodies key exchange & authentication
� 10 message types
� Record protocol: straightforward� fragment, compress, MAC, encrypt
� Change Cipher Spec protocol: straightforward� single 1 byte message with value 1
� could be considered part of handshake protocol
� Alert protocol: straightforward� 2 byte messages
• 1 byte alert level- fatal or warning; 1 byte alert code
27© Ravi Sandhu
SSL SESSION
� SSL session negotiated by handshake protocol
� session ID• chosen by server
� X.509 public-key certificate of peer• possibly null
� compression algorithm
� cipher spec• encryption algorithm
• message digest algorithm
� master secret
• 48 byte shared secret
� is resumable flag• can be used to initiate new connections
• each session is created with one connection, but additional connections within the session can be further created
28© Ravi Sandhu
SSL CONNECTION STATE
� connection end: client or server
� client and server random: 32 bytes each
� keys generated from master secret, client/server random
� client_write_MAC_secret server_write_MAC_secret
� client_write_key server_write_key
� client_write_IV server_write_IV
� compression state
� cipher state: initially IV, subsequently next feedback block
� sequence number: starts at 0, max 264-1
29© Ravi Sandhu
SSL CONNECTION STATE
� 4 parts to state
� current read state
� current write state
� pending read state
� pending write state
� handshake protocol
� initially current state is empty
� either pending state can be made current and reinitialized to empty
30© Ravi Sandhu
SSL RECORD PROTOCOL
� 4 steps by sender (reversed by receiver)
� Fragmentation
� Compression
� MAC
� Encryption
31© Ravi Sandhu
SSL RECORD PROTOCOL
� each SSL record contains
� content type: 8 bits, only 4 defined
• change_cipher_spec
• alert
• handshake
• application_data
� protocol version number: 8 bits major, 8 bits minor
� length: max 16K bytes (actually 214+2048)
� data payload: optionally compressed and encrypted
� message authentication code (MAC)
32© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
� initially SSL session has null
compression and cipher algorithms
� both are set by the handshake
protocol at beginning of session
� handshake protocol may be repeated
during the session
33© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
� Type: 1 byte
� 10 message types defined
� length: 3 bytes
� content
34© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Phase 1
Phase 2
Phase 3
Phase 4
Record
Protocol
35© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
� Phase 1:� Establish security capabilities
� Phase 2:� Server authentication and key exchange
� Phase 3:� Client authentication and key exchange
� Phase 4:� Finish
36© Ravi Sandhu
SSL 1-WAY HANDSHAKE
WITH RSA
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Phase 1
Phase 2
Phase 3
Phase 4
Record
Protocol
37© Ravi Sandhu
SSL 2-WAY HANDSHAKE
WITH RSA
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Phase 1
Phase 2
Phase 3
Phase 4
Record
Protocol
38© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
� these 9 handshake messages must occur in order shown
� optional messages can be eliminated
� 10th message explained later� hello_request message
� change_cipher_spec is a separate 1 message protocol� functionally it is just like a message in the
handshake protocol
39© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
Client Server
ClientHello -------->
ServerHello
[ChangeCipherSpec]
<-------- Finished
[ChangeCipherSpec]
Finished -------->
Application Data <-------> Application Data
Fig. 2 - Message flow for an abbreviated handshake
40© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
� hello_request (not shown) can be sent anytime from server to client to request client to start handshake protocol to renegotiate session when convenient
� can be ignored by client
� if already negotiating a session
� don’t want to renegotiate a session
• client may respond with a no_renegotiation alert
41© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Phase 1
Phase 2
Phase 3
Phase 4
Record
Protocol
42© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
� client hello
� 4 byte timestamp, 28 byte random value
� session ID:
• non-zero for new connection on existing session
• zero for new connection on new session
� client version: highest version
� cipher_suite list: ordered list
� compression list: ordered list
43© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
� server hello
� 32 byte random value
� session ID:
• new or reuse
� version
• lower of client suggested and highest supported
� cipher_suite list: single choice
� compression list: single choice
44© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
� cipher suite� key exchange method
• RSA: requires receiver’s public-key certificates
• Fixed DH: requires both sides to have public-key certificates
• Ephemeral DH: signed ephemeral keys are exchanged, need signature keys and public-key certificates on both sides
• Anonymous DH: no authentication of DH keys, susceptible to man-in-the-middle attack
• Fortezza: Fortezza key exchange
we will ignore Fortezza from here on
45© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
� cipher suite
� cipher spec
• CipherAlgorithm: RC4, RC2, DES, 3DES, DES40,
IDEA, Fortezza
• MACAlgorithm: MD5 or SHA-1
• CipherType: stream or block
• IsExportable: true or false
• HashSize: 0, 16 or 20 bytes
• Key Material: used to generate write keys
• IV Size: size of IV for CBC
46© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Phase 1
Phase 2
Phase 3
Phase 4
Record
Protocol
47© Ravi Sandhu
SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE
� Certificate message
� server’s X.509v3 certificate followed by optional chain of
certificates
� required for RSA, Fixed DH, Ephemeral DH but not for
Anonymous DH
� Server Key Exchange message
� not needed for RSA, Fixed DH
� needed for Anonymous DH, Ephemeral DH
� needed for RSA where server has signature-only key
• server sends temporary RSA public encryption key to client
48© Ravi Sandhu
SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE
� Server Key Exchange message� signed by the server
� signature is on hash of
• ClientHello.random, ServerHello.random
• Server Key Exchange parameters
� Certificate Request message� request a certificate from client
� specifies Certificate Type and Certificate Authorities
• certificate type specifies public-key algorithm and use
� Server Done message� ends phase 2, always required
49© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Phase 1
Phase 2
Phase 3
Phase 4
Record
Protocol
50© Ravi Sandhu
SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE
� Certificate message
� send if server has requested certificate and client has appropriate certificate
• otherwise send no_certificate alert
� Client Key Exchange message
� content depends on type of key exchange (see next slide)
� Certificate Verify message
� can be optionally sent following a client certificate with signing capability
� signs hash of master secret (established by key exchange) and all handshake messages so far
� provides evidence of possessing private key corresponding to certificate
51© Ravi Sandhu
SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE
� Client Key Exchange message
� RSA
• client generates 48-byte pre-master secret, encrypts
with server’s RSA public key (from server certificate
or temporary key from Server Key Exchange
message)
� Ephemeral or Anonymous DH
• client’s public DH value
� Fixed DH
• null, public key previously sent in Certificate Message
52© Ravi Sandhu
SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION
� 48 byte pre master secret
� RSA
• generated by client
• sent encrypted to server
� DH
• both sides compute the same value
• each side uses its own private value and the other sides public value
53© Ravi Sandhu
SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
[0..47];
pre_master_secret: 48 bytes
PRF is composed of a sequence and nesting of HMACs
54© Ravi Sandhu
SSL HANDSHAKE
PROTOCOL
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Phase 1
Phase 2
Phase 3
Phase 4
Record
Protocol
55© Ravi Sandhu
SSL HANDSHAKE: PHASE 4FINISH
� Change Cipher Spec message
� not considered part of handshake protocol but in some sense is part of it
� Finished message
� sent under new algorithms and keys
� content is hash of all previous messages and master secret
56© Ravi Sandhu
SSL HANDSHAKE: PHASE 4FINISH
� Change Cipher Spec message
� 1 byte message protected by current state
� copies pending state to current state
• sender copies write pending state to write current
state
• receiver copies read pending state to read current
state
� immediately send finished message under new current state
57© Ravi Sandhu
SSL HANDSHAKE: PHASE 4FINISH
verify_data
PRF(master_secret, finished_label, MD5(handshake_messages)+
SHA-1(handshake_messages)) [0..11];
finished_label
For Finished messages sent by the client, the string "client
finished". For Finished messages sent by the server, the
string "server finished".
handshake_messages
All of the data from all handshake messages up to but not
including this message. This is only data visible at the
handshake layer and does not include record layer headers.
Finished message
58© Ravi Sandhu
SSL ALERT PROTOCOL
� 2 byte alert messages
� 1 byte level
• fatal or warning
� 1 byte
• alert code
59© Ravi Sandhu
SSL ALERT MESSAGESWarning or fatal
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed(21),
record_overflow(22),
decompression_failure(30),
handshake_failure(40),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
60© Ravi Sandhu
SSL ALERT MESSAGES
� always fatal
� unexpected_message
� bad_record_mac
� decompression_failure
� handshake_failure
� illegal_parameter
61© Ravi Sandhu
SERVER-SIDE SSL (OR 1-WAY)
HANDSHAKE WITH RSA
Client Server
ClientHello -------->
ServerHello
Certificate
<-------- ServerHelloDone
ClientKeyExchange
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Record
Protocol
Handshake
Protocol
62© Ravi Sandhu
SERVER-SIDE
MASQUARADING
Bob
Web browser
www.host.com
Web serverServer-side SSL
Ultratrust
Security
Services
www.host.com
63© Ravi Sandhu
SERVER-SIDE
MASQUARADING
Bob
Web browser
www.host.com
Web server
Server-side SSL Ultratrust
Security
Services
www.host.comMallory’s
Web server
BIMM
Corporation
www.host.com
Server-side SSL
64© Ravi Sandhu
SERVER-SIDE
MASQUARADING
Bob
Web browser
www.host.com
Web server
Server-side SSL Ultratrust
Security
Services
www.host.comMallory’s
Web server
Server-side SSL
BIMM
Corporation
Ultratrust
Security
Services
www.host.com
65© Ravi Sandhu
CLIENT-SIDE SSL (OR 2-WAY)
HANDSHAKE WITH RSA
Client Server
ClientHello -------->
ServerHello
Certificate
CertificateRequest
<-------- ServerHelloDone
Certificate
ClientKeyExchange
CertificateVerify
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Record
Protocol
Handshake
Protocol
66© Ravi Sandhu
MAN IN THE MIDDLE
MASQUARADING PREVENTED
Bob
Web browser
www.host.com
Web server
Client-side SSL
Ultratrust
Security
Services
www.host.com
Mallory’s
Web server
BIMM
Corporation
Client-side SSL
Ultratrust
Security
Services
www.host.com
Client Side SSL
end-to-endUltratrust
Security
Services
Bob
BIMM
Corporation
Ultratrust
Security
Services
Bob
67© Ravi Sandhu
SSL
� Deployed in broken form
� Guardian of e-commerce
� World’s most successful crypto
protocol